Abstract: Disclosed herein are embodiments of systems, methods, and products comprise an analytic server, which detects and defends against malware in-flight regardless of the specific nature and methodology of the underlying attack. The analytic server learns the system's normal behavior during testing and evaluation phase and trains a machine-learning model based on the normal behavior. The analytic server monitors the system behavior during runtime comprising the runtime behavior of each sub-system of the system. The analytic server executes the machine-learning model and compares the system runtime behavior with the normal behavior to identify anomalous behavior. The analytic server executes one or more mitigation instructions to mitigate malware. Based on multiple available options for mitigating malware, the analytic server makes an intelligent decision and takes the least impactful action that have the least impact on the system to maintain mission assurance.

Abstract: Systems, methods, and products comprise an analytic server, which improves security of a unified system of distributed network infrastructure comprising a plurality of cyber-physical systems. The analytic server may instantiate a sub attack tree for each cyber-physical system within the unified system. The analytic server may determine how the interconnection of the plurality of cyber-physical systems may affect the unified system security. The analytic server may monitor systems and receive electronic notifications of alerts in real-time from devices in the plurality of cyber-physical systems. The analytic server may follow the logic of the attack tree model by traversing the attack tree from bottom up and determine how the alerts from the cyber-physical systems may affect the distributed network infrastructure as a whole. The analytic server may generate reports comprising a list of the prioritized attacks and recommendation actions to mitigate the attacks.

Abstract: The methods and systems disclosed herein generally relate to automated execution and evaluation of computer network training exercises, such as in a virtual environment. A server generates a training system having a virtual attack machine and a virtual target machine where the virtual target machine is operatively controlled by a trainee computer. The server then executes a simulated cyber-attack and monitors/collects actions and responses by the trainee. The server then executes an artificial intelligence model to evaluate the trainee's action and to identify a subsequent simulated cyber-attack (e.g., a next step to the simulated cyber-attack). The server may then train the artificial intelligence model using various machine-learning techniques using the collected data during the exercise.

Abstract: Embodiments disclosed herein describe systems and methods for assessing vulnerabilities of embedded non-IP devices. In an illustrative embodiment, a system of assessing the vulnerabilities of embedded non-IP devices may be within a portable device. The portable device may include a plurality of wired connectors for various wired communication/data transfer protocols. The portable device may include tools for analyzing the firmware binaries of the embedded non-IP devices, such as disassemblers and modules for concrete and symbolic (concolic) execution. Based upon the disassembly and the concolic execution, the portable device may identify vulnerabilities such as buffer overflows and programming flaws in the firmware binaries.

Abstract: In general, this disclosure describes media stream transmission techniques for a computing device. The computing device captures a first media item and identifies a primary portion of the first media item and a secondary portion of the first media item different than the primary portion. The computing device applies a first compression algorithm to the primary portion of the first media item to generate a compressed primary portion. The computing device applies a second compression algorithm to the secondary portion of the first media item to generate a compressed secondary portion, where a data compression ratio of the second compression algorithm is greater than a data compression ratio of the first compression algorithm. The computing device transmits, to a central computing device, the compressed primary portion of the first media item and the compressed secondary portion of the first media item.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise an analytic server, which provides a terrain segmentation and classification tool for synthetic aperture radar (SAR) imagery. The server accurately segments and classifies terrain types in SAR imagery and automatically adapts to new radar sensors data. The server receives a first SAR imagery and trains an autoencoder based on the first SAR imagery to generate learned representations of the first SAR imagery. The server trains a classifier based on labeled data of the first SAR imagery data to recognize terrain types from the learned representations of the first SAR imagery. The server receives a terrain query for a second SAR imagery. The server translates the second imagery data into the first imagery data and classifies the second SAR imagery terrain types using the classifier trained for the first SAR imagery. By reusing the original classifier, the server improves system efficiency.

Abstract: A system having a distributed node hardware and software product is disclosed. The distributed topology allows for multiple GPS receiver node positions. The multiple GPS receiver node positions enable an accurate location estimation of a GPS spoofing signal emitter source of an incoming malicious GPS signal. The system detects the presence of a GPS spoofing signal emitter with high confidence against any spoofing geometry or strategy while the GPS receiver nodes are on the move.

Abstract: In general, this disclosure describes media stream transmission techniques for a computing device. The computing device may capture an image of a local background environment. The computing device may record a first media stream that includes at least a portion of the image of the background environment and at least one movement of at least one object through the background environment. The computing device may remove the image of the background environment from the first media stream to create a second media stream that includes the movement of the object without the image of the background environment. The computing device may determine a bandwidth of a network over which the second media stream will be transmitted and perform further alterations to the second media stream if the current bandwidth is less than a bandwidth threshold level in order to reduce the bandwidth needed to transmit the second media stream.

Abstract: A system includes network nodes, such as, multiple computing devices and multiple software defined radios. The network nodes accurately and timely detects, identifies, locates, and responds to an unmanned aircraft system within a predetermined area. The network nodes use a communications control link between the unmanned aircraft system and a controller of the unmanned aircraft system to detect, identify, locate, and respond to the unmanned aircraft system. The network nodes are deployed over the predetermined area to maintain airspace situational awareness of the unmanned aircraft system, and deploy targeted countermeasures to counteract identified threats associated with the presence of the unmanned aircraft system within the predetermined area.

Abstract: Described herein are various computing technologies for various reverse engineering platforms capable of outputting a human readable and high level source code from various binary files in its original language, as developed before compilation. For example, a computer-implemented method includes generating, by a computer, an intermediate representation having machine-readable data representing assembly language for a binary file; detecting, by the computer, a set of one or more structural features by executing a convolutional neural network on the intermediate representation, the set of one or more structural features having one or more optimizations; identifying, by the computer, a set of one or more code transformations corresponding to the one or more optimizations detected in the set of one or more structural features; and generating, by the computer, one or more source code files representing the binary file according to the set of one or more code transformations.

Abstract: Disclosed herein are embodiments of systems, methods, and products for modernizing and optimizing legacy software. A computing device may perform an automated runtime performance profiling process. The performance profiler may automatically profile the legacy software at runtime, monitor the memory usage and module activities of the legacy software, and pinpoint/identify a subset of inefficient functions in the legacy software that scale poorly or otherwise inefficient. The computing device may further perform a source code analysis and refactoring process. The computing device may parse the source code of the subset of inefficient functions and identify code violations within the source code. The computing device may provide one or more refactoring options to optimize the source code. Each refactoring option may comprise a change to the source code configured to correct the code violations. The computing device may refactor the source code based on a selected refactoring option.

Abstract: Disclosed herein are embodiments of systems, methods, and products providing real-time anti-malware detection and protection. The computer uses artificial intelligence techniques to learn and detect new exploits in real time and protect the full system from harm. The computer trains a first machine learning model for executable files. The computer trains a second machine learning model for non-executable files. The computer trains a third machine learning model for network traffic. The computer identifies malware using the various machine learning models. The computer restores to a clean, uncorrupted state using virtual machine technology. The computer reports the detected malware to a security server, such as security information and even management (SIEM) systems, by transmitting detection alert message regarding the malware. The computer interacts with an administrative system over an isolated control network to allow the system administrator to correct the corruption caused by the malware.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise a processor, which provides runtime enforcement of data flow integrity. The processor accesses the application binary file from the disk to execute an application and translates the application binary into intermediate representation. The processor applies the logic of data flow integrity controls to the intermediate representation. Specifically, the processor identifies the vulnerable code in the intermediate representation. The processor applies data flow integrity controls to the vulnerable code. The processor adds simple instrumentation that only changes the application's behavior when unauthorized data tampering occurs while preserving the application's normal behavior. When certain operations may cause unauthorized data tampering, the processor takes proper measures to stop the operations. The processor translates the intermediate representation back to a machine code and replaces the original binary with the machine code.

Abstract: In general, this disclosure describes methods and devices for analyzing source code to detect potential bugs in the code. Specifically, a device retrieves source code of an application. For each distinct execution of a plurality of executions of the application, the device initiates the respective execution at a particular starting point of the source code and inputs, into the source code, a unique set of inputs relative to any other execution. The device stores, into a path log, an indication of each line of source code and stores, into an output log, an indication of each output object encountered during the respective execution. Each output object includes a local variable dependent on the inputs. The device analyzes, using a machine learning model, the path and output logs to identify an abnormality indicative of a potential bug in the source code. The device outputs a graphical representation of the abnormality.

Abstract: An example method includes, during execution of a software application in a computing system comprising a plurality of processing units, identifying platform-independent instructions that are configured to perform at least one computational task, wherein the plurality of processing units comprises a heterogeneous group, and wherein the platform-independent instructions have a format that is not specific to any particular processing unit in the plurality of processing units, determining one or more scheduling criteria that are associated with the platform-independent instructions, and selecting, from the heterogeneous group of processing units and based on the scheduling criteria, a processing unit to perform the at least one computational task.

Abstract: An example method includes selecting, based at least on first and second policies, first and second containers in which to execute first and second applications, respectively. The example method further includes isolating execution of the first application in the first container, and isolating execution of the second application in the second container. The example method also includes applying, based at least on the first policy, a first group of security controls to the first application executing in the first container, wherein the first container defines a first domain in which the first application is executed, and applying, based at least on the second policy, a second group of security controls to the second application executing in the second container, wherein the second container defines a second domain in which the second application is executed.

Abstract: An example method includes storing a scenario event list that defines one or more events associated with a training exercise, and configuring, based on the events defined in the scenario event list, one or more software agents to emulate one or more cyber-attacks against a host computing system during the training exercise, which includes configuring the software agents to save a state of one or more resources of the host computing system prior to emulating the cyber-attacks and to restore the state of the resources upon conclusion of the cyber-attacks. The example method further includes deploying the software agents for execution on the host computing system during the training exercise to emulate the cyber-attacks against the host computing system using one or more operational networks.

Abstract: In general, this disclosure describes media stream transmission techniques for a computing device. The computing device captures a first media item and identifies a primary portion of the first media item and a secondary portion of the first media item different than the primary portion. The computing device applies a first compression algorithm to the primary portion of the first media item to generate a compressed primary portion. The computing device applies a second compression algorithm to the secondary portion of the first media item to generate a compressed secondary portion, where a data compression ratio of the second compression algorithm is greater than a data compression ratio of the first compression algorithm. The computing device transmits, to a central computing device, the compressed primary portion of the first media item and the compressed secondary portion of the first media item.

Abstract: A method for improving efficiency of a training program begins with a processor monitoring and adapting execution of a training exercise of the training program. The processor determines a training program effectiveness measure including determining trainee skill improvement demonstrated during the training exercise, and monitoring and determining correctness and timeliness of trainee actions during the training exercise. The processor then determines a training program cost measure by determining a first monetary cost for the execution of the at least one training exercise, determining a second monetary cost associated with trainee manhours for the training exercise, and generating the training program cost measure based on the first and second monetary costs. The processor then computes a ratio of the training program effectiveness measure to the training program cost measure.

Abstract: Disclosed herein are embodiments of systems, methods, and products comprise an analytic server, which detects and defends against malware in-flight regardless of the specific nature and methodology of the underlying attack. The analytic server learns the system's normal behavior during testing and evaluation phase and trains a machine-learning model based on the normal behavior. The analytic server monitors the system behavior during runtime comprising the runtime behavior of each sub-system of the system. The analytic server executes the machine-learning model and compares the system runtime behavior with the normal behavior to identify anomalous behavior. The analytic server executes one or more mitigation instructions to mitigate malware. Based on multiple available options for mitigating malware, the analytic server makes an intelligent decision and takes the least impactful action that have the least impact on the system to maintain mission assurance.